DE112004002259B4 - Access to private data about the status of a data processing machine from a publicly accessible storage - Google Patents

Abstract

According to one embodiment of the invention, a method for operating a data processing machine is described, wherein data on the status of the machine are written to a location in a memory. This is a location accessible to software that may be written for the machine. The written status data is coded. This status data may be retrieved from the memory according to a decoding process. Other embodiments are also described and claimed.

Description

GENERAL PRIOR ART

Some embodiments of the invention relate to the manner in which processors read and write status data from a memory of a computer system. Other embodiments are also described.

Due to various design requirements, some processors may write private state data to publicly accessible memory. The format, semantics and location of this private data may vary depending on the design implementation. In the literature describing the processor, such storage regions are often marked as "RESERVED," indicating that their contents should not be read or modified because they contain private data. Unfortunately, because this data is written to publicly accessible memory, software applications, operating systems, or external agents (eg, input-output devices) may access the memory region and improperly use the private state data stored therein. Accessing and using this Private Information by unauthorized entities may result in erroneous and / or undesirable effects on processor and platform manufacturers and end users.

US 2001/0018736 A1 discloses a tamper-resistant microprocessor storing context information for a program whose execution is to be interrupted, the context information indicating an execution state of the program and the encryption of the execution code for that program. The execution of the program may be restarted by retrieving the execution state of the program from the stored context information.

US 5,655,125 discloses a register for identifying processor characteristics, such as whether the processor includes static logic devices. The disclosed apparatus further comprises a transmission circuit for, upon receipt of a first code, transferring the contents of the register from the processor to a system coupled to the processor.

The object of the invention is to provide a method and a device by which the private status data written in publicly accessible memories is protected against unauthorized use.

This object is achieved by a method having the features according to claim 1, a data processing machine having the features according to claim 12 and a system having the features according to claim 20.

BRIEF DESCRIPTION OF THE FIGURES

The embodiments of the invention are illustrated by way of example and not limitation in the figures of the accompanying drawings, wherein like reference numerals indicate like elements. It should be noted that a reference to "an" embodiment of the invention in this disclosure does not necessarily mean a reference to the same embodiment, and is meant by at least one embodiment.

1 Figure 12 is a block diagram of a computer system that may obscure / encode the public storage of private state data, according to an embodiment of the invention.

2 FIG. 10 is a flow chart illustrating a method of reading a coded private state data value from a private state memory region according to an embodiment of the invention. FIG.

3 FIG. 10 is a flowchart illustrating a method of storing a coded private state data value in a private state memory region according to an embodiment of the invention. FIG.

4 Figure 12 shows a block diagram of a computer system wherein the processor is designed to obscure / encode its private status data written in public memory, according to one embodiment of the invention.

5 FIG. 12 shows example functional components that may be used to implement obfuscation / encoding of the private state data, according to one embodiment of the invention. FIG.

6 shows a more detailed logic diagram of a portion of an exemplary address obfuscation / coding unit according to an embodiment of the invention.

PRECISE DESCRIPTION

The processor status, as written to memory during operation of a processor, includes two types of information or data. One type is referred to herein as architectural data, while the other is referred to as implementation-specific data (also referred to herein as "private data" or "private status data").

Architecture data is status information that is common to all processors of a given class as determined by the manufacturer, ie, they have substantially the same high-level interface between hardware and software. This interface is referred to as the Instruction Set Architecture (ISA). Using the same ISA for several different processor implementations supports the ability of the software written specifically for an implementation to run unmodified on later implementations.

An ISA defines the status that is available for software running on the processor, its format and semantics, as well as available operational interfaces (eg, instructions, events). Part of the ISA specification describes how the processor can use one or more regions in the memory of the machine to support its operation. These storage regions may be accessible to software and other devices of the data processing machine in which the processor is located (eg, input-output devices, etc.). The processor may use these storage regions to store both architectural and private status data.

For example, processors having the ISA of the ^{Intel® Pentium®} processor as manufactured by Intel Corporation, referred to herein as the ISA IA-32, may be considered. The processor can use regions in memory during certain operations. For example, when an ISA IA-32 processor enters system management mode, it stores various values in a memory region called the system management (SMM) state memory area. Various architectural data (eg, the various machine registers such as ESI, EBP, etc.) are stored in locations and formats specified in the documentation for the ISA. In addition, various private data is stored in the system management status storage area. In the documentation for the ISA, these private status areas are marked as "reserved"; the content, format and semantics of this private data are not specified in the ISA documentation. These "reserved" storage regions are referred to herein as "private status regions."

Various processors may be designed to have various private status data, also referred to herein as "private data." This can be done, for example, to improve performance or reduce manufacturing costs. For example, new internal registers may be added, some of the old ones may be used differently, and the format or location of their content to be written into memory may be changed for greater efficiency. As a result, the private data for these newer processors differ in content, format, semantics or location from those of the older versions.

It can be difficult to find private status data in publicly accessible areas such as: As the main memory or other memory. Here it is for software such. For example, the Basic Input Output System (BIOS), operating systems, virtual machine manager or hypervisor, device drivers or applications, and hardware such as I / O devices or other external agents may access (ie read and / or write) the private state data ). Use of such personal status data by such entities may result in erroneous and / or undesirable effects on processor and platform manufacturers and end users. For example, if an application depends on certain private state data that is available in a processor implementation, the application could malfunction if it runs on a different processor implementation that implements the home state data differently (or not at all). Software that relies on private data may also fail due to internal processor memory coherency behaviors that vary from implementation to implementation. Software dependency on private state data may complicate and / or limit the implementation options available to the processor manufacturer regarding private state data usage. For this reason, processor manufacturers often document this private state data (and its storage in a memory region) as RESERVED, indicating that it may be changed in future implementations.

The above possibility of running old software on newer machines assumes that the old software did not access the machine's private data (which may be different on a newer version of the machine). However, it has been discovered that software developers write applications and operating system programs that do the opposite, that is, they access private data as described, for example, in US Pat. B. are stored in main memory and rely on them. This creates a problem because older software may not run correctly on a newer machine, although the newer machine has the same architectural data as the older machine and still has the older mechanisms for accessing stored status data (e.g., load and store instructions according to the ISA) can "understand". This is because with the newer machine, some or all of the private data may have been changed, resulting in the software not working properly. In addition, the Manufacturers are reluctant to provide future versions of their processor with enhancements as this could cause compatibility issues with older software.

According to one embodiment of the invention, there is described a data processing engine and method for operating that may prevent a software developer from writing software that is dependent on home status data (eg, a particular value, its location, semantics or format), stored in a publicly accessible region of the memory. This may allow future versions of the machine to behave differently from private data, which may be required because the machine's internal hardware design evolves while still having the same ISA needed to run older software to make it workable.

Some embodiments of the invention may promote the application of architectural interfaces to data stored as private state data. For example, instructions may be provided to access data that may be stored as private state data by specifying the identity of the data to be accessed rather than the location of the data in the private state data region. This allows for freedom of implementation of how the data is stored (eg, within the private status region) while an architecture mechanism is configured to access the data. For example, it is assumed that a data item stored in the system management status storage area of the ISA IA-32 (as described above) is the value of the CS segment base address. The location of this data item within the state storage area is not specified in the ISA specification. Instead, an instruction may be provided by the ISA that indirectly addresses the data. The data element may be encoded and stored in whatever manner is desired in the status storage area desired for a processor implementation (or not at all stored in the status storage area and may instead be located, for example, in a particular register or location in the processor ).

The invention allows private status data to be encoded to obviate rapid software decoding of the data, as opposed to the predetermined architectural interfaces. Embodiments of the invention may vary encoding complexity depending on the target processor or platform. Once the destination processor is known, one skilled in the art may choose an embodiment of the invention that ensures that software-based methods for decoding the selected encoding take more time than using the given interfaces (e.g., instructions). For example, non-predetermined software methods may be able to store certain private state data in 400 To decode clocks (for example, by the use of certain instructions and algorithms), while prescribed by the architecture instructions and procedures would require only a fraction of this time. One embodiment of the invention is the use of certain measurements to measure the cost of private state decoding, including, for example, time (speed) and power consumption measurements.

The term "encoding" as used herein includes concepts such as encryption, ciphering, formatting, or the assignment or interpretation of specific bit patterns. Encodings by embodiments of this invention are referred to herein as "disguised" private data.

Referring to 1 a block diagram of a computer system is shown. software 120 runs on a platform hardware 102 , The platform hardware 102 may be a personal computer (PC), a mainframe, a portable device, a portable computer, a digital receiver, or any other computer system. The platform hardware 102 includes a processor 110 , Storage 130 and may include one or more input-output (I / O) devices 140 exhibit.

The processor 110 can be any type of processor capable of executing software, such as: As a microprocessor, a digital signal processor, a microcontroller or the like. The processor 110 may include microcode, programmable logic or hard-coded logic for carrying out the execution of certain method embodiments of the present invention. Even though 1 just such a processor 110 For example, more than one processor may be provided in the system.

The I / O device or I / O devices 140 For example, network interface cards, communication ports, video controllers, hard disk controllers, system busses and controllers (eg, PCI, ISA, AGP), or devices integrated with the platform chipset logic or processor (e.g., real-time clocks, programmable clocks, power meter). Some or all I / O devices 140 may have a direct memory access (DMA) capability, which allows them to access the memory 130 regardless of the control by the processor 110 or the software 120 to read and / or describe.

The memory 130 For example, a hard disk, a floppy disk, a random access memory (RAM), a cache, a read only memory (ROM), a flash memory, a static random access memory (SRAM), a combination of said devices, or any other type of storage medium to which the processor 110 can access. The memory 130 may store instructions and / or data for carrying out the method embodiments of the present invention. The memory 130 may be a publicly accessible portion of a register file of the processor, or it may be an area external to the processor, such as an external portion of the processor. B. the main memory.

Data on the status of the machine 112 , such as For example, the content of certain internal registers 114 , becomes a private status area 132 In the storage room 130 where the written status data is "coded" or "obfuscated". Thus, although the location to which the status data is written is public, by the I / O devices or the software 120 (eg the operating system 122 or application software 124 ) on the platform hardware 102 running, the encoding makes it difficult to reverse engineer (ie decode) the status data in a timely manner. When the status data is out of memory 130 be retrieved, a predetermined decoding process, for. For example, a processor initiated decoding process defined by the processor manufacturer is used. Control over the decoding process may be associated with certain processor functions, such as: As specific instructions and control signals, as will be explained below. Unspecified procedures (alternative software instructions and algorithms) for accessing status data would not activate these controls and could therefore be more costly.

The retrieved data can then be in local status 112 be moved for software 120 or the I / O devices 140 can be accessible or not. The local status 112 For example, a region may be in an internal cache or register that is not available for uncontrolled access through the Instruction Set Architecture (ISA). In some cases, software or other external agents (such as I / O devices) can not access the local state. In some cases, all or part of the local status is accessible to software or other external agents. In other cases, the local status can be accessed indirectly via special interfaces (eg instructions). Since the local state is internally located in the processor and "public" memory, the processor can strictly dictate access to the local state.

Although the status data in the publicly accessible area of the memory 130 may be in coded form, the software may use a vendor-defined instruction that may be part of the ISA for the processor to retrieve the data from memory 130 retrieve. The encoding should be strong enough to prevent software developers from surrounding such an instruction when seeking access to the status data. An example of the internal logic needed to read or fetch the status data from memory using a micro-operation or hardware control signal will be described below with reference to FIG 5 to be discribed.

In one embodiment, the encoding process used need only be strong enough to be an author of the software 120 to cause the software to write using a method dictated by a manufacturer of the processor to access the status data from the memory instead of bypassing the method. In other cases, the coding may be stronger if the manufacturer wants to make it difficult for the software developer to access and rely on the status data (including certain values, location, semantics or format) present in the memory.

Control signals used to control the encoding and decoding of the private status data may be sent to hardware state machines, processor instructions (also known as macro instructions), operating modes (e.g., PAL modes), or mode bits or instruction operation groups, microcodes, or microcode Operations (UOPs) and hardware control signals or events may be coupled to or accessible to them.

Various types of coding processes can be used. The data written to the private status region of the memory may be changed prior to storage. This type of encoding process is called data encoding. Alternatively, the addresses used to access private status data in private status regions may be changed. This type of encoding process is referred to as address veiling, and the conversion from the original address to the veiled address is referred to as address mapping. Data encoding and address obfuscation are described below.

Encoding processes can be either static or dynamic. Static encodings do not change over time while the machine is running (and performing the encoding process). (Static codes can be used during the Initialization, or during the startup phase, but not later during operation.) A process that generates static encodings is referred to as static obfuscation.

For example, a storage format may contain the contents of a particular item of private state data, such as memory 130 written, change while the machine is running. This is called dynamic obfuscation. For example, the format may switch between big-endian and little-endian after a random or pseudorandom sequence (which the processor generates and tracks) whenever the status data needs to be written to memory; this change can only affect the memory region (s) from which the private data is read or written to. Again, the intention here is to rapidly rebuild and decode the status data from a memory region in memory 130 difficult to make public.

In one embodiment, private state data, when it is to be written to memory, is written to a memory region (eg, main memory) that has contiguous addresses. In other embodiments, the private data area is contiguous and consists of more than one separate storage region. It is not necessary that the coding completely occupy the private status region; d. h., some bits or bytes are left unused. Some degree of freedom in designing the encoding and / or obfuscation functions can be achieved by changing the size of the private status region, for example, by making it larger than strictly necessary to store the private data. (For example, this would allow the use of larger polynomials in the Multiple Input Shift Register (MISR), as described later.)

In one embodiment, a multibyte value (eg, a 32-bit "long" integer) of status data is divided into multiple parts, which are then stored in non-contiguous locations rather than in a sequence. In this way, a 4-byte value can be divided into four 1-byte values stored in non-contiguous locations in a private state region. The locations where the four 1-byte values are stored may undergo a dynamic and random change while the machine is operating. Of course, the embodiments should also be able to locate and decode such data. It should be noted that the ISA may impose certain requirements regarding the atomicity of the accesses in the event that individual data values are stored or loaded using multiple memory accesses.

In one embodiment of the invention, the address bits used for memory access are encoded. This coding of address bits can change the order of the address bits (or address bit groups). An example of this may be moving from little-endian format to big-endian format within a particular memory area. Other address mixes are possible, with some involving more complex conversions.

Another type of address coding assigns a set of unique addresses K to a different set of unique addresses K; that is, the assignment is mathematically bijective (both injective (one-to-one) and surjective (to)). Here, the upper address bits can remain unchanged while the lower address bits are modified. In such cases, it is possible to form mappings that map a particular memory area to itself. That is, the base address shift of the storage section is the same, and the size of the storage region is the same. This is an attractive solution because only the data within the memory section is "obfuscated". That is, only the address bits within the memory section are mixed. 4 and 6 illustrate examples of such an association and associated address mixing mechanisms.

Address veiling mechanisms are easier to use when the private status regions have a size or base address that is powers of the underlying N-ary logic. Most current processors use binary logic, which is why private status regions with a size or base address that is a power of 2 are preferable. (Binary logic and arithmetic are treated here, but N-ary logic and arithmetic can be used if needed and are generally accepted.) Filters and other mechanisms can be used to manage private status regions with a size or base address that is not Powers of N-ary logic are. Such address bit manipulations may exist in addition to various memory arrangements and virtual memory methods (eg, page orientation, segmentation, etc.).

Address veiling mechanisms may alter the data arrangement in memory and serve to mix the data, but sometimes only with granularity of the memory. For most current processors, the main memory is byte-addressable, and therefore the location of individual bytes of a data item within the private status region can be rearranged, however, the data bits within individual bytes are not altered by the address veiling (although they may be altered by data encoding mechanisms).

In these address mapping embodiments, the original address assignments may be extracted by a decoding process. This extraction is the application of an inverse function of the address assignment function. The selection of the assignment function can take place in consideration of this requirement, since not all address assignment functions are reversible.

An embodiment of the invention encodes the data bits written to memory. These data encodings can transform the data stored in the private state region without necessarily being constrained by addressability constraints, such as: B. the size of the addressable memory. Data segments can be swapped with other data segments. For example, two nibbles (ie, 4-bit segments in one byte) within each byte may be swapped. Data encodings can be bitwise exclusive OR within a constant XOR mask. Data can also be encoded bit by bit exclusive OR with the output of a MISR (Multiple Input Feedback Shift Register). Data encodings can be done using a cryptographic function. In these embodiments, the original data may be extracted by a decoding process. This decoding process should ensure that it is faster than decoding techniques available to the software running on the platform (eg, use of ISA-defined load and store operations, mathematical operations, etc.). The charts 470 and 480 out 4 show, for example, the use of a Vigenère type cipher applied to data (bytes) within a particular 16-byte portion of the memory addresses.

Some of the above embodiments may be implemented with static mappings. That is, they do not change during the operating time of the processor or platform. Suitable assignments may be made at the time of design, during manufacture, after manufacture, or early in system operation (eg, during system boot, when the system is powered up, when the processor is reset). Different processors may or may not be configured with the same static mappings. If mappings are not set until the system is ready (for example, at system startup), it is possible to choose a new mappings each time the processor starts up. In one embodiment, different control groups (eg, operation modes, groups of instructions) may each use a different assignment configuration. Within a control group, the assignments remain constant. However, between instruction groups or modes, the mappings may or may not be different.

Other embodiments may be implemented with dynamic allocations that change while the processor is operating. In one embodiment, mapping configurations may only change if no remaining encoded data is currently stored in a private status region of the memory. This embodiment may use a counter which is incremented when coded data is written to a private status region of the memory so that it is activated. The counter is decremented if the Private Status region is no longer considered active. If the counter is zero, the mapping configuration can be changed. In one embodiment, the mapping configuration for each private state region is stored in a mapping descriptor. The assignment descriptor may be stored at a known unencoded location within the private status region itself or separated by a tracking structure such as a tracking structure. For example, a queue or look-up table may be maintained that may be internal or external to the processor. In one embodiment, different associations are possible for each private status region.

2 shows process 200 for reading a coded private state data value from a private state memory region according to an embodiment of the invention. The process may be performed by processing logic, hardware (eg, circuitry, dedicated logic, programmable logic, microcode, etc.), software (such as running on a general purpose computer system or dedicated machine), or a combination of the two both include. In one embodiment, the processing logic is in processor 110 out 1 implemented.

Referring to 2 begins process 200 in that the processing logic determines an address for the data element (processing block 202 ). Next, the process logic determines whether the data item is stored in coded form in a private status region of the memory (processing block 204 ).

One embodiment of the invention utilizes a microcode-generated or hardware-generated control signal that indicates to the processing logic that the interrogated data item requires decoding. An absence of this signal causes the NO path to block 250 is taken.

If the data item is not to be decoded, the processing logic goes to processing block 250 over where it loads a data item from memory at the address in the processing block 202 was determined. The process can then end. The loaded data will not be decoded; that is, no address or data decoding is performed. It should be noted that the data read on this path may be of an ordinary nature (ie, are not private state data) or private state data may be in coded form (but accessed in an undefined manner).

However, if the data item is to be decoded, the processing logic next determines from the address written in processing block 202 was determined, the address under which it is stored (the address may be obfuscated) (processing block 210 ). The processing logic next loads the encoded data item from memory at the address that is in processing block 210 was determined (processing block 220 ). The processing logic then decodes the data item in the processing step 220 has been loaded from the private status region of the memory (processing block 230 ). The decoded value is a result of the process 200 , The process can then end. Often, the decoded state is stored in a private state cache or the private local state of the processor.

3 shows process 300 for storing a private status data value in a private status region of the memory according to an embodiment of the invention. The process may be performed by processing logic, hardware (eg, circuitry, dedicated logic, programmable logic, microcode, etc.), software (such as running on a general purpose computer system or dedicated machine), or a combination of the two both include. In one embodiment, the processing logic is in processor 110 out 1 implemented.

Referring to 3 begins process 300 in that the processing logic determines a data value and a memory address of a data element (processing block 302 ). Next, the processing logic determines whether the data item to be stored is a private status item to be stored in coded form in a private status region of the memory (processing block 304 ).

One embodiment of the invention uses a microcode-generated or hardware-generated control signal to indicate to the processing logic that the written data item requires coding. An absence of this signal causes the NO path to block 350 is taken.

If the data item is not to be stored in coded form in a private status region, the processing logic goes to processing block 350 where it stores the data item in uncoded (unmodified) form in memory at the address in the processing block 302 was determined. The process can then end. The written data is not coded.

However, if the data item is to be stored in coded form in a private status region, the processing logic next encodes the data item (processing block 310 ) and determines a concealed address under which the data item is to be stored (processing block 320 ). The processing logic then stores the now encoded data item in memory at the address specified in processing block 320 was determined (processing block 330 ). The process can then end.

It should be noted that the processing used in processing block 310 and processing block 320 is carried out, can also be performed in reverse order, ie the obfuscation of the address value takes place before the encoding of the data. Some embodiments perform only one and not both processing blocks. Some embodiments may execute the processing blocks in parallel.

Referring to 4 is a computer system 402 shown in the form of a block diagram. This system 402 has a processor 404 Designed to support the methodology described above for obfuscating private state data in memory. The processor 404 has a default cache 410 and a private cache 416 on, being on the latter on the system 402 can not access running software and is used to store the private state data in a non-encoded (non-obfuscated) form. In this embodiment, a system chipset is 406 provided to the processor 404 to allow with the memory 408 to communicate. The chipset 406 may include a memory controller (not shown) and other logic needed to interface with the peripherals of a computer (also not shown). In some embodiments, the functionality of the chipset 406 or a functional subset in the processor 404 be implemented.

In 4 is the memory 408 shown as he is in a publicly accessible region 418 the coded private status data of the processor 404 stores. This is an example where a cipher refers to the values of the internal processor state of the processor 404 was applied so that the actual values are not obtained by simply monitoring and reading the memory 408 easily retrieved or reverse developed.

As described above, the obfuscation of data stored in the coded private status region 418 are achieved in different ways. 4 shows an example of such a mechanism wherein both the data values are encoded and the data layout is encoded / obfuscated. First data values in table 470 are encoded using a Vigenère cipher, resulting in the data values shown in Table 480 (described below) are shown. Then a special assignment of logical address values of the private status data to physical address values is applied, the assignment results being shown in Table 490 are shown. The physical addresses specify where the private state data is actually stored in memory. The physical addresses can therefore be said to result from encoding the logical addresses.

The table 470 in 4 The "Decrypted Address Data" has a list of examples of logical addresses and their associated private state data values that are in uncoded form in the cache 416 are stored. Here, only null data values were selected to demonstrate the resulting encoding. It should be noted that an "X" represents the uncoded upper bits of the virtual and physical addresses of the status data. The table 490 named "Private State Memory Map" shows an example of mapping between non-encoded and encoded addresses. Here only the lower 4 bits are coded.

6 FIG. 12 shows one embodiment of a programmable (parameterized) address mapping function that operates in the system 4 can be used. In 6 would be the polynomial control register 604 with P ₀ = 1, P ₁ = 1, P ₂ = 0, P ₃ = 0 loaded to implement the primitive polynomial x ⁴ + x ¹ + x ⁰ and the optional mask register 610 to load with all zero values. This logic is an application of the equations that determine general MISRs with a bit width w, and can be used to construct various types of address coding combining logic. The parameterized MISR state equations are: S _i (t + 1) = S _i-1 (t) + I _i + (P _i * S _w-1 (t)), 1 ≤ i ≤ w - 1 S ₀ (t + 1) = I ₀ + (P ₀ * S _w-1 (t))

Here, the operator "+" represents a modulo-2 addition (XOR) and "·" represents a modulo-2 multiplication (AND). Parameter "t" represents time (clocks), S, the status of the i-th flip-flop, I _i , the ith input vector bit, and P _i the i-th polynomial coefficient. The coefficient P _w is implicitly 1. In order to handle the address mixing embodiment 4 To achieve, all S _i (t) with the corresponding address values A _i and S _i (t + 1) to be replaced with output O _i . Other embodiments are possible.

Primary polynomials of order w are useful in that they can produce a "maximal sequence"; that is, they can generate all binary combinations or patterns of bit width w. It can be primitive polynomials of up to 300 (bit width 300 ) or even higher order.

To use using 4 the function shown above for accessing data at the logical address offset 0001 (as in entry 471 to explain), the physical memory at location 0010 is accessed (as entry 491 shows). The unencoded content value belonging to this address (see entry 471 ) consists in this case exclusively of zeros. If he, however, as in entry 481 stored in coded form, a non-zero row (ie 11110101) appears in the public region 418 of the memory 408 , (This encoding cipher will be described in more detail later.) Although limited bit widths are shown for convenience, the method may be applied to wider or parallel bitmap data.

Store and retrieve encoded private state data in memory 408 as they are in 4 can be shown using the logical blocks 5 be implemented.

For this example, a special micro-operation (i.e., a control signal) has been set for the processor that will be used when storing or retrieving private status data in memory.

An address generation unit (AGU) 504 receives a special micro-operation and in this embodiment calculates a logical address with a high and a low component. In one embodiment, the logical address is a virtual address. In another embodiment, as in 5 As shown, the logical address is a linear address as found in ^{Intel® Pentium®} processors. In another embodiment, the logical address is a physical address, and no translation of the high address bits is needed. In 5 the high component of the address is a linear-physical address translation block (also referred to as a translation buffer or TLB) 508 which supplies this high component of the linear address (which may be a virtual page number) into a part of a physical address 509 translated.

An address concealment unit 514 In this embodiment, it is intended to receive the low portion of the linear address value associated with the respective private state data of the processor. In response, the address veiling unit translates 514 this low component of the linear address to another section of the physical address 509 provide. The value of this portion of the physical address is a mixed or encoded version of the linear address, as described above with reference to FIG 1 and 4 described.

In one embodiment, the particular micro-operation or UOP signal (control signal) determines whether the address-coding unit 514 should encode the lower order address bits. If the control signal is not asserted, the lower order address bits may be in unencoded form by the unit 514 or at the unit 514 pass by. Even if the coding control signal (or signals) are acknowledged, some address bits may pass uncoded. This can be done, for example, if only a subset of the address bits need to be coded if the private state memory region is smaller than the address space size addressable by the lower order bits. Other embodiments exist wherein address coding occurs after the linear physical address translation and therefore allows the coding of address spaces larger than a virtual memory page. An advantage of in 5 In the embodiment shown, the linear-physical translation is parallel to the encoding process rather than serial, so that it is potentially faster. Also, encodings are often only needed for private state storage regions that are smaller than the virtual memory page size.

The high component of the physical address (generated by TLB 508 ) and the low component of the physical address (generated by the address concealment unit 514 ), when linked, create a physical address 509 pointing to the actual place in the store 408 indicates where the respective status data is stored. The physical address 509 is first in this embodiment to the buffer 410 applied, and if this fails, the content of the location becomes memory 408 retrieved or in memory 408 stored (depending on whether the process is a load or a store). Other arrangements of the memory hierarchy are possible.

It should be noted that in this embodiment, a region in memory 408 , which is intended to store the private state data, occupy only a portion of the page, and may be aligned with the edge of a virtual memory page. In this case, only the page shift portion of the linear address (that is, the low portion of the linear address) passes the address obfuscation unit 514 to generate the encoded physical page shift. Other implementations are possible. In addition, the address obfuscation or coding unit may 514 include range selection logic so that only addresses within specific regions of the memory are encoded. With this logic, the memory region need not necessarily be aligned with the edge of a virtual memory page or have a power size of 2. Internally, the address obfuscation or coding unit 514 be implemented by means of microcode, software, lookup tables, hardwired function logic, programmable logic, or any combination of these methods (see 6 to a key element of such an implementation).

Still referring to 5 Note that the default cache 410 of the processor in this embodiment is used to store the encoded or obfuscated private status data. If coded content 510 either from the cache 410 or the memory 408 It can be supplied by means of a data coding and decoding unit 524 be decoded. The decoded content value 520 then becomes in the private status area in this embodiment 516 saved by the processor. As before, there are buffers 410 and memory 408 while the private state scope is only accessible to the internal processes of the processor. The data encoding and decoding unit 524 can also be used vice versa if the private state data is written in memory in coded form. In such an embodiment, the unit would 524 encode a content value that is from the Private Status area 516 can come.

In some embodiments, special instructions for accessing some or all of the private status data may be provided in the ISA of the processor. These instructions, when executed, may transfer unencoded data from the private status area 516 (please refer 5 ) or special micro-operations or hardware control signals to access the region 418 in memory 408 (please refer 4 ), where the private status data is stored in coded form. While other instructions of the ISA (eg normal load and store instructions) may also be able to affect the public regions of the ISA memory 408 and / or the cache 410 From such a read access, private status data values whose address values are either obfuscated and / or whose data content is encoded result. Accordingly, without special hardware support, it is not possible to reverse engineer or otherwise restore the private state data within an acceptable time frame.

Although the mechanism described above includes logic components implemented within a processor device, other arrangements are possible, with some or all of the logic implemented in the system chipset, for example. Additionally, special bus cycles can be used to access the private status region 418 of the memory 408 ( 4 ).

Turning to 6 For example, a more detailed design of an example of a programmable 4-bit address bit obfuscation (coding) mechanism is shown. This design may be for the address veiling / coding unit 514 out 5 and the logical-physical address assignment (for the low order bits) in 4 to create.

The logical diagram 6 FIG. 4 is one embodiment of a combination logic portion of a 4-bit wide, multi-input linear feedback shift register (MISR) with a fourth-order polynomial using the method described above. This combination logic is used by the polynomial control register 604 , the optional mask register 610 and the input address source 606 fed. It should be noted that this logic is not a complete MISR, but exploits the mappings properties of a MISR.

In 6 becomes the polynomial control register 604 loaded with the binary coefficients of a polynomial. For example, the circuit off 6 to configure the in 4 To implement the illustrated logical-physical address mapping with the primitive polynomial x ⁴ + x ¹ + x ⁰ would be the polynomial control register 604 loaded with binary coefficients P ₀ = 1, P ₁ = 1, P ₂ = 0, P ₃ = 0. The address bit vector 0000 is assigned 0000 when the optional mask register 610 set to 0000. The input address source 606 represents the logical 4-bit address to be encoded. The optional mask source 610 (eg the control register) allows the construction of different assignments.

As described above, the mask register 610 and the polynomial control register 604 be changed during operation. For example, the values that are loaded may be derived from a pseudo-random data source during power-on reset processing. This may prevent attempts at accessing private state data or bypassing given access methods (such as the specific ISA instructions described above). 6 Figure 4 is an embodiment that is relatively efficient and, with moderate hardware overhead, allows programmability with binary coefficient and mask values with relatively few gate delays. Other logic designs for implementing the address obfuscation unit 514 are possible. Additional logic or associative memory (CAMs) may be used to further restrict the range of addresses modified by the address bit encoding mechanism. In addition, more complex logic can be designed for the encoding and decoding processes, for example, to enhance coding (if necessary).

The encoding of the content values of the private state data may be accomplished in a manner similar to that described above for address obfuscation. One approach is to associate the logical address shifts (for aligned regions of private state data) or some constant abscissa values with XOR, where the contents of a given private state element are to be encoded. A more sophisticated encoding mechanism may be applied to a stream of private state data values. A variant of a feedback shift register method (linear, non-linear, multi-input, etc.) can be used with an initial name. The initial name is defined as the initial state loaded into the feedback shift register. For each data value in succession, the feedback shift register may be advanced and its contents bit-wise XORed with the contents of the internal register. This is called a Vigenère cipher, and an example of this is in tables 470 . 480 out 4 shown above, where each unencoded content (data) value in 470 is null (for example, entry 471 ), but does not appear as such when encoded in 480 (eg entry 481 ) is stored in memory 408 , This cipher uses the shift register to generate a pseudo-random sequence of bitwise XOR masks. In this case, any pseudo-random mask will be byte-wide while being generated by a MISR (see 480 ) is bit-wise XORed to the next data value in the address sequence. Only the polynomial and the shift register initial seed value are needed to recreate exactly the same sequence. In one embodiment, the configuration information (eg, polynomial and initial name) of the encoding and / or decoding unit may be stored in memory along with the encoded status region 408 be saved. To decode the private state, the configuration information (eg, polynomial and Initial names) (and possibly decoded using another fixed coding method) and then used. As long as each mask in the sequence is applied to the corresponding data in the same order (eg, one mask is applied per addressable unit), the bitwise XOR masking produces (decodes) the original data. As previously discussed, the polynomial and MISR initial seed value may be changed using various methods or constraints (eg, at startup, during operation, etc.). In order to recover the original data, the decoding method (s) suitable for the encoding method or methods originally used, namely to undo the encoding, must be used. Vigenère ciphers are just one example of private state data value encoding mechanisms that are efficient and allow programmability with simple binary coefficient lists, seeds, etc., as well as a moderate amount of hardware and only a few tag delays. Other embodiments are also possible.

In one embodiment of the invention, the processor may be the private status region 132 in memory (see 1 ) at transitions between operating modes of the processor. For example, the processor may access the Private Status Region when entering System Management Mode (SMM) as described above. These transitions between modes of operation are referred to herein as mode changes. Mode changes include, for example, movement between normal mode and system management mode, between a virtual machine (VM) and a virtual machine monitor (VMM) in a virtual machine system, between a user-level operating system process and the operating system kernel, etc.

In one embodiment of the invention, the processor may be the private status region 132 in memory at any time after assigning the private status region. For example, in a virtual machine system, the VMM may provide a region in memory for processor utilization during virtual machine operation. The VMM may indicate to the processor the location of the private status region (eg, by executing an instruction defined in the ISA). Once the processor has received the advertisement, it is free to use the private status region as appropriate. For example, during transitions between a VM and the VMM (ie, mode switch points), the processor may access the private status region. Additionally, the processor may access the region during operation of a VM or VMM. For example, the processor may access control information from the private status region, or the processor may store tentative values in the private status region.

The ISA may also provide a mechanism whereby the VMM may determine that a private status region should no longer be used (eg, by executing an instruction). In other embodiments, private status regions may be allocated using other methods. For example, a private status region may be assigned by writing model-specific registers (MSRs), by executing instructions in the ISA, by writing memory locations, and so on.

Although the above examples describe embodiments of the present invention in the context of execution units and logic circuits, other embodiments of the present invention may be accomplished by software. For example, in some embodiments, the present invention may be embodied as a computer program product or software that includes a machine or computer-readable medium having stored thereon instructions that may be used to program a computer (or other electronic device) to perform a process to perform an embodiment of the invention. In other embodiments, operations may be performed on specific hardware components that include microcode, hardwired logic, or any other combination of programmed computer components and custom hardware components.

Thus, a machine-readable medium may include, but is not limited to, a mechanism for storing or transmitting information in a form readable by a machine (e.g., a computer), floppy disks, compact disks, read-only memories (CDROMs), and magneto-optic disks, read-only memory (ROMS), random access memory (RAM), erasable programmable read only memory (EPROM), electrically erasable programmable read only memory (EEPROM), magnetic or optical cards, flash memory, transmission over the Internet, electrical, optical, acoustic or other Shapes of transmitted signals (eg, carrier waves, infrared signals, digital signals, etc.) or the like.

Furthermore, a design may go through several stages, from generation to simulation, to fabrication. Data representing a design can represent the design in different ways. First, as useful in simulations, the hardware may be represented using a hardware description language or other functional description language. In addition, at some stages of the design process, a circuit level model with logic and / or transistor gates may be generated. Also, most designs at one level achieve a level of data that represents the physical arrangement of various devices in the hardware model. In the event that conventional semiconductor manufacturing techniques are used, the data representing a hardware model may be the data that specifies the presence or absence of various features on different mask layers that are used to fabricate the integrated circuit. With each representation of the design, the data can be stored on any type of machine-readable medium. An optical or electrical wave that is modulated or otherwise generated to transmit such information, a memory or a magnetic or optical memory such. B. a disc may be a machine-readable medium. Each of these media may "carry" or "display" the design or software information. When an electric carrier wave indicating or carrying the code or design is transmitted so that copying, buffering or retransmission of the electrical signal is performed, a new copy is made. Thus, a communications provider or a network provider may make copies of an article (a carrier wave) embodying methods of the present invention.

In the foregoing description, the invention has been described with reference to various methods for accessing data on the status of a data processing machine from a publicly accessible memory. It will, however, be understood that various modifications and changes may be made without departing from the broader spirit and scope of the embodiments of the invention as defined in the appended claims. The description and the figures are accordingly to be understood as illustrative rather than limiting.

Claims (26)

A method of operating a data processing machine comprising the steps of: a) applying a coding process to private status data by a processor ( 110 ), the private status data detecting a status of the processor, b) writing the coded private status data to a location in a memory ( 130 ) accessible to software by executing a first instruction from a plurality of instructions in the instruction set architecture of the processor, and c) obtaining the status of the processor by the software by executing a second instruction of the plurality of instructions in the instruction set architecture of the processor, wherein the execution of the second instruction causes the processor to ( 110 ) reads the encoded private status data from the memory, decodes the encoded private status data to generate decoded private status data, and stores the decoded private status data in the processor. The method of claim 1, wherein the private status data is either written a) in a freely accessible location in a register file of the processor, b) in a cache or c) in a memory. The method of claim 1, wherein the encoding process is one in which the location of the written content of a respective internal register ( 114 ) of the processor changes randomly at least once while repeating steps a) to b). Method according to claim 1, wherein the private data concerning the status of the machine is either a register value or a value from the memory ( 408 ) are. The method of claim 1, wherein the encoding process is one in which the storage format of the written contents of a respective internal register ( 114 ) of the processor randomly changes at least once between big-endian and little-endian while repeating steps a) to b). The method of claim 1, wherein the encoding comprises encrypting a value of the private data to obtain the encoded private data. The method of claim 1, wherein the encoding comprises address coding to obfuscate the address value of the private data. The method of claim 1, wherein the encoding process is one in which a cipher is indexed to the contents of a respective register ( 114 ) is applied to generate a coded value, which is then sent to the location in memory ( 130 ) is written. The method of claim 1, further comprising storing the decoded private status data in a private memory of the processor. The method of claim 1, wherein acquiring comprises: reading a plurality of values from the memory ( 408 ); and combining the read multiple values to form a single unencoded value of the private data. The method of claim 1, wherein obtaining comprises: Reading multiple values from one or more non-contiguous memory locations; Combining the read values to form a single value; and decoding the single value to form a single unencoded value of the private data. Data processing machine with a processor ( 110 ) and a memory, wherein the data processing machine is set up, a) an encoding process to private status data by the processor ( 110 ), wherein the private status data capture a status of the processor, b) the encoded private status data to a location in a memory ( 130 ) accessible to software by executing a first instruction from a plurality of instructions in the instruction set architecture of the processor; and c) the status of the processor by the software by executing a second instruction of the plurality of instructions in the instruction set architecture of the processor obtaining, the execution of the second command causes the processor ( 110 ) reads the encoded private status data from the memory, decodes the encoded private status data to generate decoded private status data, and stores the decoded private status data in the processor. Data processing machine according to claim 12, wherein the processor ( 110 ) has a special read micro-operation which is used when the processor ( 110 ) reads the status data from the memory unit. Data processing machine according to claim 13, wherein the processor ( 110 ) an internal buffer ( 410 ) and the coded status data to a freely accessible location in the cache ( 410 ) writes. Data processing machine according to claim 13, wherein the processor ( 110 ) retrieves the status data and writes the retrieved status data to a private location in the data processing engine Data processing machine according to claim 13, wherein the processor ( 110 ) regains the status data and configures itself with the retrieved status data in preparation for resuming the execution of an interrupted task. Data processing machine according to claim 13, wherein for the processor ( 110 ) there is an instruction defined by the manufacturer which, when executed by the processor ( 110 ) decodes and reads the status data from the memory unit. Data processing machine according to claim 12, wherein for the processor ( 110 ) a special micro-operation is defined to access the encoded status data from the memory unit, and wherein the processor ( 110 ) comprises an address concealment unit for receiving an address value associated with respective status data of the processor, the address value being derived from a message of the particular microoperation, and the concealment unit providing a coded physical address value indicative of the actual location in the memory unit, where the respective status data is stored. Data processing machine according to claim 12, wherein for the processor ( 110 ) a hardware control signal for accessing the encoded data from the memory unit is defined, and wherein the processor ( 110 ) has an internal buffer and a data conversion unit which receives data values from the buffer memory as a result of a buffer memory access derived from the hardware control signal, and decodes the data value into the actual status data of the processor. Computer system, with a processor ( 404 ), and one with the processor ( 404 ) communicating main memory ( 408 ), which has a public area ( 416 ), which is intended to store the private status data of the processor ( 404 ) in coded form, the processor ( 404 ) a) an encoding process to private status data by the processor ( 110 ), wherein the private status data capture a status of the processor, b) the encoded private status data to a location in a memory ( 130 ) accessible to software by executing a first instruction from a plurality of instructions in the instruction set architecture of the processor; and c) the status of the processor by the software by executing a second instruction of the plurality of instructions in the instruction set architecture of the processor obtaining, the execution of the second command causes the processor ( 110 ) reads the encoded private status data from the memory, decodes the encoded private status data to generate decoded private status data, and stores the decoded private status data in the processor. The system of claim 20, wherein the processor ( 404 ) encodes the private status data before saving in the public domain. The system of claim 20, wherein the processor ( 404 ) a value coming from the public Range was decoded prior to use. The system of claim 20, wherein the processor ( 404 ) an internal memory unit ( 428 ) in which a public area is designated to store a copy of the private status data in coded form. The system of claim 23, wherein the internal memory unit ( 428 ) is either a cache or a register file. The system of claim 23, wherein a private area in the internal storage unit (16) 416 ) is determined to store the private status data in uncoded form. The system of claim 20, further comprising a system chipset ( 406 ) containing the processor ( 404 ) communicates with the main memory.

Images